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FINE-GRAINED FORWARD-SECURE SIGNATURE SCHEME 



TECHNICAL FIELD 

The present invention relates to a method for providing a secret cryptographic key and public 
5 cryptographic key applicable in a network of connected computer nodes using a signature 
scheme. Moreover, the invention relates to methods for providing and verifying a signature 
value on a message in the network of connected computer nodes. A method for 
communicating the validity of the generated signature value in the event of a detected 
intrusion is also disclosed herein. 



10 BACKGROUND OF THE INVENTION 

Electronic or digital signatures are used to authenticate information, that is to securely tie the 
contents of an electronic document to a signer, more precisely, to the signer's public key. Only 
the true signer should be able to produce valid signatures, and anyone should be able to verify 
them in order to convince oneself that the signer indeed signed the document. While many 
15 digital signature schemes have been proposed so far, a few are used in practice today. 

Ordinary digital signature schemes suffer from a fundamental shortcoming: once the secret 
key is leaked, for example because a hacker managed to break into the signer's computer, and, 
when this leakage is detected, the public key is revoked then all signatures produced by the 
signer become reputable, i.e., it is no longer possible to distinguish whether a signature was 

20 produced by the signer or the hacker. Therefore ordinary signature schemes can pre se not 
provide non-repudiation. One possibility to achieve non-repudiation is to use a so-called 
time-stamping service. Here each signature is sent to a trusted third party who signs a message 
containing the signature and the current date and time. A signature is considered 
non-reputable if it was time-stamped before the signer revoked her public key. Hence, 

25 assuming that the trusted third party's key is never leaked, non-repudiation is guaranteed. 
However, this solution requires frequent interaction with a trusted third party, e.g., the 
time-stamping service, which is not desirable. 
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Another possibility is to change the keys frequently, i.e., to use a different key pair each day 
and delete all the secret keys of past days. It then is understood that if a day has passed 
without that the user has revoked that day's key then all the signatures made with respect to 
the key are non-reputable. This either requires again frequent interaction with the trusted third 
5 party, or, the public key becomes large, i.e., a list of many public keys. Forward secure 
signature schemes as introduced by R. Anderson in "Two remarks on public-key 
cryptography' 1 , Manuscript, presented by the author at the 4th ACM CCS (1997), September 
2000, and formalized by Bellare and Miner in "A forward-secure digital signature scheme", In 
Michael Wiener, editor, Advances in Cryptology - CRYPTO '99, volume 1666 of LNCS, 
10 pages 431-448, Springer Verlag, 1999, solve this problem by having only one public key but 
many secret keys - one for each time period. In fact, most forward secure signature schemes 
allow one to derive the secret key of the current time period from the one of the previous 
period in a one-way fashion. 

In principle, a forward secure signature scheme can be obtained from any ordinary signature 
15 scheme: the signer chooses new secret and public keys for each time period. The public key of 
the forward secure signature scheme become the set of the ordinary public keys index by the 
time period for which they are valid. To sign a message the signer uses the secret key of that 
period. Once a time period has passed, the signer deletes the respective secret key. It is easy to 
see that this scheme is forward secure. However, the scheme is rather inefficient in terms of 
20 (public and secret) storage. 

However, current forward secure signature schemes suffer from the following problem. In 
case of a hacker's break-in all the signatures made in this time-period have to be recalled and 
the (honest) signer needs to re-issue them. One solution to this is to use small time-periods 
which only works if the complexity of the key update is comparable to the complexity of 
25 signing. 

From the above it follows that there is a call for an improved forward secure signature scheme 
that is more secure and efficient. The scheme should furthermore allow to react on a hacker's 
break-in immediately without re-issuing signatures for the past. 
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SUMMARY AND ADVANTAGES OF THE INVENTION 

In accordance with a first aspect of the present invention, there is given a method for 
providing a secret cryptographic key sk and a public cryptographic key pk applicable in a 
network of connected computer nodes using a signature scheme. The method is executable by 
5 a first computer node and comprises the steps of generating the secret cryptographic key sk by 
selecting two random factor values P, Q, multiplying the two selected random factor values P, 
Q to obtain a modulus value (N), and selecting a secret base value g\ h\ x' in dependence on 
the modulus value N, wherein the secret base value g\ h\ x* forms part of the secret 
cryptographic key g\h\ x\ The method further comprises generating the public cryptographic 

10 key pk by selecting a number / of exponent values e u „. 9 e h and deriving a public base value g, 
K x from the exponent values and the secret base value g\ h\ x\ wherein the public 

base value g, h, x and the modulus value N form part of the public cryptographic key g, h y jc, 
N. The method further comprises the steps of deleting the two random factor values P, Q; and 
providing the public cryptographic key g 9 h y x, N within the network; such that the public 

15 cryptographic key g, h, x, N and at least one of the selected exponent values is usable 

for verifying a signature value i, y, a on a message m to be sent within the network to a second 
computer node for verification. 

In a second aspect of the present invention, there is given a method for providing a signature 
value i, y, a on a message m in a network of connected computer nodes, the method being 

20 executable by a first computer node and comprising the steps of selecting a first signature 
element a; selecting a signature exponent value e, from a number / of exponent values *!,...,<?/; 
and deriving a second signature element y from a provided secret cryptographic key g' t , h\ x' h 
the message m, and the number / of exponent values <?,,...,<?/ such that the first signature 
element a, the second signature element y, and the signature exponent value e s satisfy a known 

25 relationship with the message m and a provided public cryptographic key g, h> x, N, wherein 
the signature value /, y, a comprises the first signature element a, the second signature element 
y, and a signature reference / to the signature exponent value e h the signature value /, y, a 
being sendable within the network to a second computer node for verification. 



In a third aspect of the present invention, there is given a method for verifying a signature 
value i, y, a on a message w in a network of connected computer nodes, the method being 
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executable by a second computer node and comprising the steps of receiving the signature 
value i, y, a from a first computer node; deriving a signature exponent value e { from the 
signature value i, y, a; and verifying whether the signature exponent value e, and part of the 
signature value i, y, a satisfy a known relationship with the message m and a provided public 
5 cryptographic key g, h y x, N, otherwise refusing the signature value f, y, a, wherein the 
signature value i, y, a was generated from a first signature element a, a number / of exponent 
values a provided secret cryptographic key g' h h' h x' h and the message m. 

In a fourth aspect of the present invention, there is given a method for communicating within 
a network of connected computer nodes the validity of a signature value /, y, a in the event of 

10 an exposure of a secret cryptographic key sk relating to the signature value i, y, a, the method 
comprising the steps of defining an order of exponent values eu...,e f ; publishing a description 
of the exponent values e\ ,...,<?/ and the order of the exponent values e,,...,ei within the network; 
publishing a revocation reference j to one of the exponent values *?!,...,<?/ within the network 
such that the validity of the signature value /, y, a is determinable by using the revocation 

15 reference./, the order of exponent values e u ...,e h and a provided public cryptographic key pk. 

The presented methods form the basis of a forward-secure signature scheme that is provably 
secure, i.e., its security relies on no heuristic such as the random oracle model. Moreover, the 
presented methods form also the basis of a fine-grained forward-secure signature scheme that 
is secure and efficient. The latter scheme allows one to react immediately on hacker break-ins 

20 such that signature values from the past still remain valid without re-issuing them and future 
signature values based on an exposed key can be identified accordingly. In other words, when 
using the fine-grained forward-secure signature scheme there is no need to re-sign signature 
values produced in a current time period in the event of a secret-cryptographic-key exposure. 
Re-signing is tedious, because it would involve to contact the parties again, and possibly some 

25 re-negotiating. 

In general, the presented methods form the basis of a forward-secure signature scheme, in 
which each prepared signature value, also referred to as signature, carries an ascending 
signature reference /, that also is contemplated as an ascending index /. This index j is 
attached to the signature value i, y, a in a way such that once it is used, no lower index can be 
30 used again to sign. Then, whenever an adversary breaks in, an honest signer can just announce 
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the current index, e.g., by signing some special message with respect to the current index, as 
part of the revocation message for the current time period. It is then understood that all 
signatures made in prior time periods as well as all signatures make in the revoked period up 
to the announced index are valid, i.e., non-reputable. 

5 Instead of using time periods, like in ordinary forward-secure signature schemes, the 
fine-grained forward-secure signature scheme updates the secret cryptographic key whenever 
a new message is signed. In the event of a break into a signer's system, which can be 
immediately noticed due to existence of tools called intrusion detection systems, one can 
revoke the public cryptographic key g, h, x, N and publish the last used index /. Thereby other 
10 computer nodes can be informed about the validity of already issued signatures. This prevents 
other parties form using the exposed provided secret cryptographic key g' h h' h x', to sign while 
not requiring to re-issue past signatures. 

A description of the exponent vaJues can be provided within the network. This allows 

every interested party to verify the validity of the signature. 

15 It can be defined an order of the selected exponent values *„...,*, for enabling to communicate 
the validity of the signature value i, y, a in the event of a detected intrusion. This enables the 
fine-grained property of the presented scheme. 

Each of the exponent values e u ...,e, can be applied to at most one signature value /, y, a, which 
allows to provide a secure signature scheme. 

20 A more efficient signature generation can be achieved when the derivation of the signature 
element y further comprises the step of deriving a signature base value g h h„ x, by using the 
provided public cryptographic key g, h, x, N, the provided secret cryptographic key g' h h' h x'„ 
and the exponent values e u ...,e x . 

When a new secret cryptographic key g' M , x' M is derived from the provided secret 
25 cryptographic key h' h x'-, and the selected signature exponent value e h then the advantage 
occurs that forward security can be achieved. 
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DESCRIPTION OF THE DRAWINGS 

Preferred embodiments of the invention are described in detail below, by way of example 
only, with reference to the following schematic drawings. 

5 FIG. 1 shows a typical network of connected computer nodes. 

FIG. 2 shows a schematic flow diagram for providing a secret cryptographic key and a 

public cryptographic key applicable in the network of connected computer 
nodes. 

FIG. 3 shows a schematic flow diagram for providing a signature value on a message 

10 in the network of connected computer nodes. 

FIG. 4 shows a schematic flow diagram for verifying the signature value. 

FIG. 5 shows a schematic flow diagram for communicating within the network of 

connected computer nodes the validity of the signature value in the event of an 
exposure of a secret cryptographic key relating to the signature value. 

15 The drawings are provided for illustrative purpose only and do not necessarily represent 
practical examples of the present invention to scale. 
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Glossary 

The following are informal definitions to aid in the understanding of the descripti 
signs relate to the terms indicated beside and are used within the description. 



5 P, Q random factor values, preferably primes 

N modulus value 

k number of bits of N 

exponent values 
signature exponent value 
10 W seed, part of description of exponent values 

QRn subgroup of squares in Z* N 

/ security parameter 

{0, 1 }' bit-strings of length / 

g\ h\ x' secret base value being part of a secret cryptographic key (sk) 
1 5 g' h h ',, x\ provided secret cryptographic key 

g'i+ u h'i+\ 9 x'm new or updated secret cryptographic key 
g, K x forming a public base value 

g, h, x, N public cryptographic key (pk) or provided public cryptographic key (pk) 

a first signature element 

20 y second signature element 

' signature reference to a signature exponent value e t 

j revocation reference 

j ' signature reference 

/ number of signature values producable 

25 i t y, a forming a signature value 

m message 

Pt, P2* P3> Pa first, second, third, fourth computer node 
'<> starting time 

T time period 

30 t& duration of time period 

s number of producable signature values per time period 
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DETAILED DESCRIPTION AND EMBODIMENTS 

With general reference to the figures, the features of a fine-grained forward-secure signature 
schemes within a network are described in more detail below. 

5 Turning to Fig. 1 which shows an example of a common computer system 2. It comprises here 
a first, second, third, and fourth computer node p h p 2 , pj> P4 which are connected via 
communication lines 5 to a network. Each computer node p ly p 2 , Ps> P4* may be any type of 
computer device or network device known in the art from a computer on -a chip or a wearable 
computer to a large computer system. The communication lines can be any communication 

10 means commonly known to transmit data or messages from one computer node to another. 
For instance, the communication lines may be either single, bi-directional communication 
lines 5 between each pair of computer nodes p u P2, P3, P4 or one unidirectional line in each 
direction between each pair of computer nodes pu Pi> P3> P*- The common computer system 2 
is shown to facilitate the description of the following methods forming and allowing a 

15 forward-secure signature scheme and a fine-grained forward-secure signature scheme. 

Key Generation 

Fig. 2 shows a schematic flow diagram for providing a secret cryptographic key and a public 
cryptographic key applicable in the network of connected computer nodes. The steps to be 
performed are indicated in boxes and labeled with numbers, respectively. The same reference 
20 numerals or signs are used to denote the same or like parts. 

The generation of a secret cryptographic key sk, also referred to as secret key, and a public 
cryptographic key pk, also referred to as public key, is here performed by the first computer 
node pi. 

At first, the secret cryptographic key sk is generated by selecting two random factor, values P, 
25 Q, labeled with 20, 21. These two selected random factor values P, Q are then multiplied and 
a modulus value N is thereby obtained, as labeled with 22. Then, a secret base value g \ h\ x' 
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is selected in dependence on the modulus value N, as labeled with box 23, wherein the secret 
base value g\ h\ x' forms part of the secret cryptographic key sk, here also denoted as g', h\ x'. 

At second, the public cryptographic key pk is generated by selecting a number / of exponent 
values ei,...,e f , as labeled with box 24. A public base value g, h, x is derived from the exponent 
5 values <?,,...,<?, and the secret base value g', h', x\ as labeled with 25, wherein the public base 
value g, h, x and the modulus value N form part of the public cryptographic key pk, also 
denoted as g, h, x, N, and labeled with 26. The two random factor values P, Q should be 
deleted afterwards for security reasons, as indicated with 27. The public cryptographic key g, 
h, x, N is provided within the network, as indicated with 28, such that other computer nodes 
10 p 2 , p 3 , p 4 have access to this key. Later on, the public cryptographic key g, h, x N and at least 
one of the selected exponent values e t ,...,e, will be usable for verifying a signature value *, y, 
a, also, referred to as signature, on a message m which is to be sent within the network to, e.g., 
the second computer node p 2 for verification purposes. 

In the following the generation of the secret cryptographic key sk and the public cryptographic 
15 key pk is presented as an embodiment with some more mathematical details. At first a random 
RSA modulus value N of size k bits is chosen. The modulus value N is preferably a product of 
two safe primes. By QR N is denoted a subgroup of squares in Z* N , whereby all group 
operations will be performed in this group. It is chosen a random seed W and used by. 
applying some pseudorandom generator to construct the number / random unique / + 1-bit 
20 prime exponent values e u ...,e,. Publishing this seed W (as a part of public cryptographic key 

pk) allows any computer node p 2 , p 3 , p 4 to reproduce the exponent values e, e,. It is also 

possible to publish all the exponent values <?,,...,<?, as a part of the public cryptographic key pk. 
Moreover, since different signers can use the same exponents they can be published by some 
trusted organization. Further, the secret base value g\ h\ x' is selected randomly from QR N . It 
25 is computed 



g -=8 



The public cryptographic key pk is here pk := N, g, h, x, W. The secret cryptographic key sk is 
here sk := g', h\ x'. It is set j := 0. 
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Signing 

Fig. 3 shows a schematic flow diagram for providing a signature value on a message m in the 
network of connected computer nodes- If the public cryptographic key pk has not yet been 
revoked, the signature value i, y, a on the message m is here performed by the first computer 
5 node pu The first computer node p t is also referred to as signer or signing party. At first, a first 
signature element a is selected, as labeled with 30. Moreover, a signature exponent value e, is 
selected from a number / of exponent values e u ...,<?/, as shown in box 31. As indicated with 
box 32, a second signature element y is derived from a provided secret cryptographic key g' f , 
h' h x' h labeled with 33, the message m, which is labeled with 34, and the number / of exponent 

10 values e u ...,ei such that the first signature element a 9 the second signature element y, and the 
signature exponent value e t satisfy a known relationship, that is representable as a verification 
equation, with the message m and the provided public cryptographic key pk comprising g, h % 
*, N. The signature value /, y, a, as labeled with 35, finally comprises the first signature 
element a, the second signature element y, and a signature reference i to the signature 

15 exponent value e % . The signature value /, y, a is then sent within the network to, e.g., the 
second computer node p 2 for verification purposes. 

The generation of the signature value i t y, a is addressed hereafter with regard to some more 
mathematical aspects. It is assumed that the message m is to be signed. If the public 
cryptographic key pk has been revoked, e.g., because the secret cryptographic key sk has been 
20 leaked, or if i > I , i.e., the maximal number of producable signature values has been reached, 
then signing is aborted. Given the secret cryptographic key sk, = g'«, h' u one can compute 
elements g„ h h and jc, such that 

g?=g, and *r=*- 

Then, one chooses a first signature element a that is random, with a {0,1 }', and computes 

25 y:=x ig ^h^ H{m) . 

The signature on the message m is here i, y, a. 



After having signed, the secret cryptographic key sk is updated by computing 
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ti M =ti?>, and x' M =x'?>, 
and setting the secret cryptographic key sk to sk, +I := {g' M , h; +l , x\ +I ) and update /: = /+!. 
Signature Verification 

Fig. 4 shows a schematic flow diagram for verifying the signature value i, y, a. The 
5 verification of the signature value /, y, a on the message m is here performed by the second 
computer node p 2 . The signature value i, y, a is received by the second computer node p 2 from 
the first computer node p,, as indicated by box 40. Then, the second computer node p 2 derives 
a signature exponent value e, from the signature value i, y, a, as indicated with box 41. It can 
be verified whether or not the signature exponent value e, is a member of a number / of 
10 exponent values e,,...,e,, as indicated with box 42, wherein a description of the of exponent 
values e h ...,e, is accessible within the network, as indicated with box 43. If the signature 

exponent value e, is not a member of a number / of exponent values e, e t then the signature 

value i, y, a might be refused. As shown with box 44, it is verified whether or not the 
signature exponent value e, and part of the signature value i, y, a satisfy a known relationship, 
15 i.e. the verification equation, with the message m and a provided public cryptographic key g, 
h, x, N, as provided in box 43. When this verification fails, the signature value /, y, a is 
refused. The results of the verifications 42, 43 are either "true" or "false" as indicated in the 
figure with "T" and "F", whereby "false" or "F" leads to a refusal of the signature value i, y, a 
and "true" or "T" to an acceptance. It can be determined that the signature value /, y, a was 
20 generated from the first signature element a, the number / of exponent values e u ...,e, y a 
provided secret cryptographic key g'„ h',, x' h and the message m. 

In another example, the second computer node p 2 , that is also referred to as verifier, checks 
whether or not t, y, a, W is the signature, i.e., the signature value, on the message m. Firstly it 
is checked if 0 ^ i ^ /. Secondly the second computer node p 2 generates the signature 
25 exponent value e, from the signature reference i and the seed W, that here also is included in 
the signature value i, y, a, W. Finally the verifier, i.e., the second computer node p 2 , accepts 
the signature if the following known relationship, i.e. the verification equation, is fulfilled 



y'i = xg a h a9H ^ modN. 
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Revocation 



Fig. 5 shows a schematic flow diagram for communicating within the network of connected 
computer nodes the validity of the signature value /, y, a in the event of an exposure of a 
secret cryptographic key sk, as indicated with 54, relating to the signature value i, y, a. The 
5 validity of a signature value i, y, a is communicated within the network as follows. An order 
of exponent values e u ...,e t is defined, as indicated with 50, whose description is provided 
within the network, as indicated with 51. The order of exponent values e u ».*ei is also 
published within the network, as indicated with 51. Furthermore, a revocation reference j to 
one of the exponent values e u .^e t is published within the network, as indicated with 52, such 
10 that the validity of the signature value £, y y a is determinable, as indicated with 53, by using 
the revocation reference jr, the order of exponent values ei,.. .,<?/, and a provided public 
cryptographic key pk, shown with 55. 

The following provides some more brief embodiments on how to use the presented signature 
scheme as forward-secure signature scheme and fine-grained forward-secure signature 
15 scheme, which are provable secure without random oracles. 

Forward-Secure Signature Scheme 

The presented signature scheme can be used as forward-secure signature scheme with the 
particular property that one can sign only one message per time period. That is, one assigns 
each index j to a time-period rather than to a message. 

20 Being able to sign only a single message per time-period is of course not very practical. 
However, using any ordinary signature scheme S together with the presented signature 
scheme, one can obtain a forward-secure signature scheme where one can sign many messages 
per time-period as follows. 

One generates a new instance, i.e., public and secret key pairs, of S (called S/) for each time 
25 period T h with !</</, and signs its public key pk, as the i-th message in the presented 
signature scheme. 
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To sign a message m in time-period T h one can then use the signature scheme S, to sign the 
message m resulting in a signature s m . Thus the final signature on message m comprises the 
signature s«, the public key pk„ plus the signature on that public key performed with the 
presented signature scheme applying index i. 

5 Fine-Grained Forward-Secure Signature Schemes 

The presented signature scheme does not prevent a dishonest signer from invalidating a 
signature made in the past by claiming that a break-in happened and publishing an index that 
is smaller than the one the signer used with that signature. It seems to be unavoidable that a 
signer is allowed some time (e.g., an hour) after generating a signature during which she can 
10 still recall the signature by claiming a break-in happened. This is because the signer should be 
allowed some time to figure out that a break-in happened and to react to it. In the following 
three examples /., //., and ///. are presented below to overcome this problem. 

/. A Two-Level Scheme 

It is used one instantiation of the presented signature scheme, call it A-scheme, where each 
1 5 index denotes a time-period, i.e., index / denotes here the time period T t from t 0 + i* f A to t 0 + 
(/ + l)r A , where to is the starting time and t & is the duration of the time-period. The public key 
of this scheme becomes the public key of a user. Furthermore, a parameter j A is published as 
part of the public key, whereby the parameter j & controls the time the user can take to note 
that the secret key got compromised. 

20 Then, for each time-period a second instantiation of the presented signature scheme is used, 
call it B,-scheme, and sign its public key using the A-scheme with respect to the index i of that 
time-period. After this, the secret key of the A-scheme is updated and the new current index of 
this scheme becomes /' + 1 . 

To sign ay-message of the current time period T h the B,-scheme with index j is used. The 
25 signature on the message comprises this signature, the public key of the B r scheme, and the 
signature on this public key made with the A-scheme. Again, after signing the secret key of 
the B,-scheme is updated and the new current index isy := j + I . 
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Whenever a signer wants to revoke her key, e.g., in time-period 7V, she sends a third trusted 
party, hereafter abbreviated to TTP, a predetermined message that indicates this, signed with 
the ^.-scheme using the current index, here/. Such a signature is called revocation signature. 
The TTP verifies the signature and checks whether 7V is the current time period. If this is the 
5 case the TTP accepts the revocation and publishes the signature appropriately. The signer is 
not precluded from revoking several times in the same time period. 

A user's signature with indices i andy is considered valid if no revocation happened, or if a 
revocation with indices V and / happened (where V and f are the smallest indices of any 
revocation signature published by the TTP), if i <, t and; *f - h holds. Until the time-period 
10 in which one signature was signed has not passed, one cannot be sure whether the signature 
will be valid or not. This, however, holds true for any forward-secure signature scheme. 

The reason that the signer is allowed to revoke one key several times is that otherwise an 
adversary who knows the secret key could send a revocation message with index / that is 
higher than the signer's current index. It is easy to see that this gives a fine-grained forward 
15 secure signature scheme. Instead of the presented signature scheme, one could use any 
forward secure signature scheme as A-scheme. 

//. Using a Public Archive 

The second example replaces the A-scheme in the previous example with a public archive. It 
is assumed that it is not possible to delete messages from the archive and that messages are 
20 published together with the exact time they were received by the archive. 

Given such an archive, a fine-grained forward-secure signature scheme is achieved as follows 
using only one instantiation of the presented signature scheme. The signature on the message 
m is performed with the presented signature scheme using the current index. After signing, the 
secret key is updated. 

25 At the end of each time period, the user signs a predetermined message, e.g., « last index used 
in time period 7, », by applying the presented signature scheme and using the current index, 
herey, and then updates the secret key and sends this index signature to the public archive. 
The public archive posts the message along with the time it received the signature. 
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Whenever a signer wants to revoke her key, e.g., in time-period 7>, she sends the TTP a 
preferably predetermined message that indicates this, signed the presented signature scheme 
using the current index f. The TTP verifies the signature and checks whether T', is the current 
time period and whether j' is not smaller than the index j of the index signature the signer 
5 provided to the public archive during the previous time period. If this is the case the TTP 
accepts the revocation and publishes the signature appropriately. Again, the signer is not 
precluded from revoking several times in the same time period. 

In this second example, a user's signature with index i is considered valid if no revocation 
happened, or if revocation happened, if i < / -y A or if i < j, where / is the smallest index of 
10 any revocation signatures published by the TTP and/ is the index j of the index signature the 
signer provided to the public archive in the time-period prior to the one in which the key was 
revoked. 

In this example scheme, one cannot be sure that a signature signed in some time-period is 
valid until the time period has passed and the signer has published a signature with a higher 
15 index in the archive. Compared to the first example solution, the second one has the 
advantage that signatures are shorter. 

For practical reasons, the signer might be allowed some time after the passing of a time-period 
to publish an index signature in the archive and to perform revocation. This allows one to 
handle break-in at the very end of a time period. As a consequence, the signer should be 
20 allowed to put several index signatures in the public archive per time-period, the one with the 
lowest index being the one that counts. A signature with index i is then counted valid if no 
revocation happens, or if revocation happens, if i < f where j" is the index of the 
revocation signature. 

///. Allowing s Signatures Per Time-Period 

25 In the third example only one instantiation of the presented signature scheme is used. The 
index is bound to the time-periods by allowing exactly s signatures per time-period. The 
parameter s together with t 0 and t & is published as part of the public key. 
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Thus in time-period 7) the indices i • s (i + l)s - 1 can be used to sign. To revoke a key, the 
signer sends the revocation signature produced with the current index j\ to the TTP. The TTP 
verifies the signature and published it if the signature's index matches the current time-period. 

The signature with index j is considered valid if no revocation happened, or in case a 
5 revocation signature with index f was published, if j belongs to an earlier time-period that/ 
or if j <f -ja. 

The rational behind this third example is that the work of signing a message in the presented 
signature scheme is governed by updating the secret key. Thus one could calculate how many 
signature one can possibly issue during a time period given the computational power one has 
10 and then set s to this number. Then, one would constantly perform the secret key update, even 
if no message was signed. This approach would not change the response behavior of the 
system very much, but does not use a public archive and the signatures are smaller than in the 
first example. 

Any disclosed embodiment may be combined with one or several of the other embodiments 
15 shown and/or described. This is also possible for one or more features of the embodiments. 

Computer program means or computer program in the present context mean any expression, 
in any language, code or notation, of a set of instructions intended to cause a system having an 
information processing capability to perform a particular function either directly or after either 
or both of the following a) conversion to another language, code or notation; b) reproduction 
20 in a different material form. 
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CLAIMS 

1. A method for providing a secret cryptographic key (sk) and a public cryptographic key 
(pk) applicable in a network of connected computer nodes using a signature scheme, the 
method being executable by a first computer node and comprising the steps of: 

- generating the secret cryptographic key (sk) by 

- selecting two random factor values (P, Q), 

- multiplying the two selected random factor values (P, Q) to obtain a modulus value 
(N), and 

- selecting a secret base value {g\ h\ x' ) in dependence on the modulus value (N), 
wherein the secret base value (g\ h\ x') forms part of the secret cryptographic key (g\ 
h',xy, 

- generating the public cryptographic key (pk) by 

- selecting a number (I) of exponent values (e, e,), and 

- deriving a public base value (g, h, x) from the exponent values (e u ...,e,) and the 
secret base value (#', h', x*), wherein the public base value (g, h, x) and the modulus 
value (N) form part of the public cryptographic key (g, h, x, N); 

- deleting the two random factor values (P, Q); and 

- providing the public cryptographic key (g, h, x, N) within the network; 

such that the public cryptographic key (g, h, x, N) and at least one of the selected 
exponent values (e u ...,e,) is usable for verifying a signature value (/, y, a) on a message 
(m) to be sent within the network to a second computer node for verification. 

2. The method according to claim 1 further comprising providing a description of the 
exponent values (e, e,) within the network. 

3. The method according to any preceding claim further comprising defining an order of the 
selected exponent values (e t ,...,e,) for enabling to communicate the validity of the 
signature value (/, y, a) in the event of a detected intrusion. 
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4. A method for providing a signature value (i, y, a) on a message (m) in a network of 
connected computer nodes, the method being executable by a first computer node and 
comprising the steps of: 

- selecting a first signature element (a); 

5 - selecting a signature exponent value fa) from a number (/) of exponent values fa,...,e 7 ); 
and 

- deriving a second signature element (y) from a provided secret cryptographic key (g' h 
h' h jc ',), the message (w), and the number (/) of exponent values fa ,...,*/) such that the first 
signature element (a\ the second signature element (y), and the signature exponent value 

10 fa) satisfy a known relationship with the message (m) and a provided public 
cryptographic key (g, h, x, N), wherein the signature value (i, y, a) comprises the first 
signature element (a), the second signature element (y), and a signature reference (i) to 
the signature exponent value fa), 

the signature value (i, y, a) being sendable within the network to a second computer node 
15 for verification. 

5. The method according to claim 4, wherein the step of deriving a second signature element 
(y) further comprises deriving a signature base value (g h h t> x k ) using a provided public 
cryptographic key (g, K x 9 N), the provided secret cryptographic key (g' h h' h *',), and the 
exponent values fa,...,e/). 

20 6. The method according to claim 4 or 5 further comprising deriving a new secret 
cryptographic key h'i+ u x' M ) from the provided secret cryptographic key (g'„ h' h x'i) 
and the selected signature exponent value fa). 

7. A method for verifying a signature value (i, y, a) on a message (m) in a network of 
connected computer nodes, the method being executable by a second computer node and 
25 comprising the steps of: 

- receiving the signature value (/,y, a) from a first computer node; 

- deriving a signature exponent value fa) from the signature value (/, y, a)\ and 
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- verifying whether the signature exponent value («,) and part of the signature value (i, y, 
a) satisfy a known relationship with the message (w) and a provided public cryptographic 
key (g, h, x, N), otherwise refusing the signature value (/, y, a), 

wherein the signature value (/, y, a) was generated from a first signature element (a), a 
number (/) of exponent values (<?,,...,«/), a provided secret cryptographic key (g' h h' h x'i), 
and the message (w). 



8. A method for communicating within a network of connected computer nodes the validity 
of a signature value (i, y, a) in the event of an exposure of a secret cryptographic key (sk) 
10 relating to the signature value (i, y, a), the method comprising the steps of: 

- defining an order of exponent values (e u ...,«/); 

- publishing a description of the exponent values (e ,e t ) and the order of the exponent 

values (e t ,...,e,) within the network; 

- publishing a revocation reference (/) to one of the exponent values (<?,,...,<?,) within the 
15 network such that the validity of the signature value (i, y, a) is determinable by using the 

revocation reference (/% the order of exponent values (<?,,...,<?,), and a provided public 
cryptographic key (pk). 

9. The method according to any preceding claim further comprising applying each of the 
exponent values (e u ...,e,) to at most one signature value (/, y, a). 

20 10. A computer program element comprising program code means for performing a method 
of any one of the claims 1 to 9 when said program is run on a computer. 

1 1. A computer program product stored on a computer usable medium, comprising computer 
readable program means for causing a computer to perform a method according to anyone 
of the preceding claims I to 9. 



25 12. A network device (p,) comprising: 

- a computer program product according to claim 1 1 ; 
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- a processor for executing the method; 

- the processor having access to exchanged messages in the network. 
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Abstract 

The presented methods form the basis of a forward-secure signature scheme that is provably 
secure. Moreover, the presented methods form also the basis of a fine-grained forward-secure 
signature scheme that is secure and efficient. The scheme allows to react immediately on 
5 hacker break-ins such that signatures from the past still remain valid without re-issuing them 
and future signature values based on an exposed key can be identified accordingly. In general, 
each prepared signature carries an ascending index such that once an index is used, no lower 
index can be used to sign. Then, whenever an adversary breaks in, an honest signer can just 
announce the current index, e.g., by signing some special message with respect to the current 
10 index, as part of the revocation message for the current time period. It is then understood that 
all signatures made in prior time periods as well as all signatures make in the revoked period 
up to the announced index are valid, i.e., non-reputable. 

[Fig. 3] 
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